| Author |
Topic: ktab + kinit + klist -- Kerberos key and ticket cache management tools |
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
 |
|
|
| ktab + kinit + klist -- Kerberos key and ticket cache management tools |
ktab -- A keytab management tool
ktab allows the user to manage the principal names and service keys stored in a local keytab. A keytab is a host's copy of its own keylist, which is analogous to a user's password.
Syntax
List:
ktab -l [-k <keytab_name>]
Add:
ktab -a <principal_name> [<password>] [-k <keytab_name>]
Delete:
ktab -d <principal_name> [-k <keytab_name>]
Examples:
C:\temp>ktab -a test_user@TEST_REALM.COM -k test_user.keytab
Password for test_user@TEST_REALM.COM:<password>
Done!
Service key for test_user@TEST_REALM.COM is saved in test_user.keytab
C:\temp>ktab -l -k test_user.keytab
Keytab name: C:\temp\test_user.keytab
KVNO Principal
--------------------------------------------------------------------------
1 test_user@TEST_REALM.COM
1 test_user@TEST_REALM.COM
1 test_user@TEST_REALM.COM
1 test_user@TEST_REALM.COM
Note:
By default, the keytab name is retrieved from the Kerberos configuration file C:\Windows\krb5.ini from entry default_keytab_name = FILE:<path-to-file>, if you do not specify it with -k;
If the keytab name is not specifed in the Kerberos configuration file, the name is assumed to be <USER_HOME>\krb5.keytab.
There is no need for KDC to authenticate the user during the process of generating keytab.
|
|
|
|
|
|
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| kinit -- A Kerberos client |
kinit is used to authenticate user to KDC and obtain and cache Kerberos Ticket-Granting Ticket(TGT).
Syntax
kinit [-fp] [-c <cache_name>] [-k] [-t <keytab_filename>] [<principal>] [<password>] [-help]
Examples:
Authenticate user test_user with <password>
C:\temp>kinit test_user@TEST_REALM.COM
Password for test_user@TEST_REALM.COM:<password>
New ticket is stored in cache file C:\Users\test_user\krb5cc_test_user
Authenticate user test_user with default keytab
C:\temp>kinit test_user@TEST_REALM.COM -k
New ticket is stored in cache file C:\Users\test_user\krb5cc_test_user
Authenticate user test_user with specified keytab
C:\temp>kinit test_user@TEST_REALM.COM -k -t FILE:C:\temp\test_user.keytab
New ticket is stored in cache file C:\Users\test_user\krb5cc_test_user
Note:
By default, on the Windows platform a cache file named <USER_HOME>\krb5cc_<USER_NAME> will be generated.
By default, for all Unix platforms a cache file named /tmp/krb5cc_<uid> is generated.
C:\Windows\krb5.ini needs to be configured properly for target KDC.
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| klist -- A KeyTab and TGT-cache list tool |
klist allows the user to view entries in the local credentials cache and key tab.
Syntax
klist [-c [-fe]] [-k [-tK]] [<name>] [-help]
Examples
List entries in the credentials cache specified including credentials flag and address list:
klist -c -f FILE:C:\Users\test_user\krb5cc_test_user
Credentials cache: FILE:C:\Users\test_user\krb5cc_test_user
Default principal: test_user@TEST_REALM.COM, 1 entry found.
[1] Service Principal: krbtgt/TEST_REALM.COM@TEST_REALM.COM
Valid starting: May 04, 2012 16:17
Expires: May 05, 2012 02:17
Flags: INITIAL;PRE-AUTHENT
klist can also be used to list entries in the keytab:
klist -k -t -K FILE:C:\temp\test_user.keytab
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 03/12/2013 11:40:35 PM
Edit
Quote
Report
Profile
Reply